Jump to content

MalwareBytes keeps detecting Trojan.Powershell


woozy
Go to solution Solved by Maurice Naggar,

Recommended Posts

As the title says, malwarebytes keeps detecting and quarantining Trojan.Powershell. Even after scanning and deleting it, it still persists. I have no idea where this came from, maybe it's when I tried to download this crack version of RDR2 that was downloaded thru torrent, other than that I have no idea. Please help.

Addition.txt FRST.txt malwarebytes-scan-logs.txt

Link to post
Share on other sites

Hello :welcome: 

I will guide you along . There are several issues on this machine. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.
Link to post
Share on other sites

On this particular system. please only go to this forum, and some other security-sites I guide you to during this case. Do NOT do any banking, shopping, loose web surfing, nor any sort of games. This machine has a heavy bunch of malware. It will take quite a bit of effort to try to squash.  And would likely take many different passes.

IF you have a good image backup from before this incident ( backed up on offline storage and you want to consider a backup restoration of the whole system, Stop and let me know.  I just want to make sure you stop un-necessary use of this machine.

Link to post
Share on other sites

I just made a backup file for all my codes and pictures into 1 folder then compressed it into a zipfile, uploaded it to drive, these files are located in my desktop. (I did this before I noticed your reply, I apologize). I will now stop any un-necessary use.

Link to post
Share on other sites

The backup should have been done well BEFORE this inFection !  I was hoping you had had a full backup from way before this had PIRATED infectious stuff.

IF this machine is mainly used for games, given the number of "security holes" that this malware has done to essential security services of this Windows pc ( right now there is no defensive security, no antivirus protection no firewall).....it would be faster to essentially erase the contents of disc and do a CLEAN NEW installation of Windows 11.  That would mean not keeping any user files or documents.

That is the quickest plus the secure & safest way for the future. Let me know if that is what you decide.

Link to post
Share on other sites

You need to have a USB type device ( like at least a thumb-flash stick device) where you can copy your personal documents and stuff to that device. USB-flash devices are commonly available at computer electronics stores. Do not save any "games". But personal text files, other documents, personal pictures if any, etc

They need to be saved to some kind of storage that is NOT on this particular machine. You can even save them to a Google drive account if you have one. Those are free. See the how-to article https://support.google.com/drive/answer/2424368

Link to post
Share on other sites

  • Please be real sure to observe these cautions.
  • There is a not a single cure for the infections and malware damage on this machine.
  • There is no sort of guarantee or warranty that the malware will be fully removed or remediated.
  • There will be several runs and checks and scans to do, even after this set here.
  • Do NOT play any sort of games of any sort while this case is here until after I give the all Clear.
  • Do NOT do any social media site vists.
  • Do NOT do any web surfing with any web browser.
  • Stay away from any sort of pirated, hack, or crack game or application program.

( Initial STEP A )

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program :  is FRST64.exe

Please download the attached fixlist.txt file and save it to C:\Users\jomka\OneDrive\Desktop\aa

Fixlist.txt

 

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Desktop\aa folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop\aa folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This is an attempt to remove the unwanted security damages done by the malware. This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  Depending on the speed of your computer this fix may take 40-50 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera + Brave caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: Temporary items & temporary cache are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

( STEP B )

Do a new scan with Malwarebytes

( STEP C )

get a set of fresh reports to see what is running, what is active. Your machine has the FRST64 report tool on the Desktop\aa folder. We will use that. Go to Desktop\aa folder. RIGHT-click on FRST64 and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

  •  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
  • Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
  • Close Notepad IF those show up on Notepad.
  • Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.
  • There WILL be more to do even AFTER THIS.
Edited by Maurice Naggar
Link to post
Share on other sites

Alright, thanks. I do need to get a copy of Fixlog.txt. So please attach the Fixlog.txt from the folder Desktop\aa

Step 2
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>
Step 3
Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select View ShowFile name extensions

Step 4

I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on FULL scan  
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take several hours . There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

The 4 trojans found by the ESET scan were already in Quarantine by the 1st script FRST64 fix. Those were 4 TrojanDownloader.Small_AGen.D trojans.
There is STILL more cleanup to do. We are far from being done. There are still traces of the infection.
Among the still-present-damage is that the malware has pretty much set Windows Defender antivirus to not protect the whole C drive.
I am listing a few more tasks below. Be sure to do all of them.
( Step 1 )

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program :  is FRST64.exe

Please download the attached fixlist.txt file and save it to C:\Users\jomka\OneDrive\Desktop\aa

Fixlist.txt

 

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Desktop\aa folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop\aa folder (Fixlog.txt) . Please attach or post it to your next reply.

( Step 2 )

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.

( Step 3 )

Now a different scan with another security scanner. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\jomka\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add
-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\jomka\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230217_183000.klr

 

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply

( Step 4 )

Also need a new set of fresh reports for my review.

  1. Please download MALWAREBYTES MBST Support Tool
  2. In your Downloads folder, open the mb-support-1.8.7.918.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic.

 

  • There is still yet more to do, even after this here.Keep your machine off the internet as much as possible. NO web surfing. No games. No social media.
Edited by Maurice Naggar
added step 4 for fresh report
Link to post
Share on other sites

First, you are welcome. I am glad to be of help. It is quite fortunate that we managed to get the "severe" restrictions on Microsoft Defender that were silently and surreptitiously placed by the trojan infections.
The restrictions that essentially had made the whole C drive, as well as some other exploits, a "open avenue" for the trojans, those are gone.
Microsoft Defender is on and up-to-date.
The Malwarebytes trial is (also ) protecting this system with real-time protection for the rest of the Trial. I believe the Malwarebytes trial will be thru March 1 or March 2.
You should seriously consider getting a Premium license for Malwarebytes to protect this Windows, as well as your other devices, like a Android phone.

We are not yet done. And before we close I will suggest to you to change all your passwords, because of the high likelyhood that the trojan(s) compromised or lifted some of your personal information.

The Fix-run is good. The MBAR tool found no malware. The Kaspersky KVRT only found items previously isolated from the 1st Fix run that I had you do the other day. So the Kaspersky essentially found NO new or current threat.
I very much would like for you to do a whole scan of the C drive by a run of Microsoft Defender antivirus.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Edited by Maurice Naggar
Link to post
Share on other sites

Sorry I fell asleep lol. I tried opening Windows Security but it is just showing me a black screen (ill attach a screen shot) idk whats wrong, I've tried restarting my device but nothing changed. For now I'll be trying my best to change all my passwords.

image.thumb.png.276c2dc15926b4f097f157e8cf452034.png

Link to post
Share on other sites

Here is what to do. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.  It is a stand-alone executable. It does not "install". It is run on-demand.

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULLscan  .

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.